From nobody Thu May 8 00:27:38 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as
permitted sender) client-ip=209.51.188.17;
envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
helo=lists.gnu.org;
Authentication-Results: mx.zohomail.com;
dkim=fail;
spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted
sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=fail(p=none dis=none) header.from=linaro.org
ARC-Seal: i=1; a=rsa-sha256; t=1563198177; cv=none;
d=zoho.com; s=zohoarc;
b=YM2AuDv0bpkifSS8h09GmBJXUnS4R5Uw+hEXAAspUyg0zJjGm6CIvI1EcPPW70Ty48gfsYc5qMMaNCnwe13D8f6ifwsY35Gs7rtPqwOkhQP2402oFrPfxx9AMksKhn63cLuQFsO05RdVbHcPY8VG1nhK1PvqmcCEuWalr1KZ6xA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com;
s=zohoarc;
t=1563198177;
h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results;
bh=M7cygNuQv/R1u8CJs+gp7c5R4DnZyamtxh5srkkTrmQ=;
b=UToALzXs4qpvMwF38bJSdiTsX0Lps4ITdnUZBPczApNvIp5W0n0zoJONC+o/u/SgFcaK/QxNTvL5LHcErnIFivxucfSycB7rRBoF9AYHZ/5hLn8TLjA1PevUhecZ4RfhBkSVoBXELHBodw04auM7XaGMcVYMzRIScnshiB/GSjM=
ARC-Authentication-Results: i=1; mx.zoho.com;
dkim=fail;
spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted
sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=fail header.from=<peter.maydell@linaro.org> (p=none dis=none)
header.from=<peter.maydell@linaro.org>
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
mx.zohomail.com
with SMTPS id 1563198177493573.7760551723445;
Mon, 15 Jul 2019 06:42:57 -0700 (PDT)
Received: from localhost ([::1]:38716 helo=lists1p.gnu.org)
by lists.gnu.org with esmtp (Exim 4.86_2)
(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
id 1hn1Fn-0001E3-K8
for importer@patchew.org; Mon, 15 Jul 2019 09:42:55 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:51789)
by lists.gnu.org with esmtp (Exim 4.86_2)
(envelope-from <peter.maydell@linaro.org>) id 1hn1FG-0007sW-VH
for qemu-devel@nongnu.org; Mon, 15 Jul 2019 09:42:24 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
(envelope-from <peter.maydell@linaro.org>) id 1hn1FF-0006Ah-6E
for qemu-devel@nongnu.org; Mon, 15 Jul 2019 09:42:22 -0400
Received: from mail-wm1-x336.google.com ([2a00:1450:4864:20::336]:51208)
by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
(Exim 4.71) (envelope-from <peter.maydell@linaro.org>)
id 1hn1FE-000693-Rt
for qemu-devel@nongnu.org; Mon, 15 Jul 2019 09:42:21 -0400
Received: by mail-wm1-x336.google.com with SMTP id 207so15247139wma.1
for <qemu-devel@nongnu.org>; Mon, 15 Jul 2019 06:42:19 -0700 (PDT)
Received: from orth.archaic.org.uk (orth.archaic.org.uk. [81.2.115.148])
by smtp.gmail.com with ESMTPSA id c7sm14221808wro.70.2019.07.15.06.42.17
for <qemu-devel@nongnu.org>
(version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
Mon, 15 Jul 2019 06:42:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
h=from:to:subject:date:message-id:in-reply-to:references:mime-version
:content-transfer-encoding;
bh=M7cygNuQv/R1u8CJs+gp7c5R4DnZyamtxh5srkkTrmQ=;
b=uyL6kkJrL5xDlguPEnMeJZn4TYutZ/hvvgUKVtFckiWXqDqR2hbbMAH0WeYQ1rEM28
8ldy9gyjGB35j9v8nlOtyLxbpH9sPobvtOMTx/X/3wdYnZ9TxHBFV4KOkxAcFIHeCEKi
0dvNQ2+ygiKEAK7hOpsLRFtaY4NyPqkOaD/k0ZUK9UYYyVYjXPZRR7+PXRy+XclOWjCm
dNDB1OELySa+Xq01GMBwx/Wc0wRj2/G2khq6FSqi46PJ4o7GhojgoQZBBlVseacKCrxE
Fk9cmBs2sKXJlK8CY7f2xC/y2oVDqoIOkL3MP/+svWm5vTX/7sS4J3AzSxiuUJHB66kf
HIGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
:references:mime-version:content-transfer-encoding;
bh=M7cygNuQv/R1u8CJs+gp7c5R4DnZyamtxh5srkkTrmQ=;
b=UdAepvspApNb4df9iKIY2L7/T8lHaGe7u+/Shy09szHFAIkl+g6ptenItk806LNx+R
7/XUXFLEtBiHAZahVGl+slcY5qpracYGNvLSGnghw73TQCYECramKjlJNDjUCD6RbGlB
2v/75gQqUSensNfiYOZ56svs5bKRocAfWg9koAtVZeitZhT+U13aOuS+16tfgvvFhnbx
kCUrYSuCMhF2/UlEFfSSapoCjE2kqcPFX4R/7PU6zkVnT3zWqCSbDCNO74Iz4LcrtZ7O
dUuPdN5pFt0NboI0uOA4S66wmjvqmhIG2YJgxvbqt2R01KR2P2q3QuCvvmTyo8pCJEh6
g5uQ==
X-Gm-Message-State: APjAAAXnERhKAKDbWUW/lG5oiqdkOO3CBNPyXj597DR2Q+2RbokoJNDO
xb3aQB3ovui7CT3HxshY//LJncVK9LEPlg==
X-Google-Smtp-Source:
APXvYqz2QhUSu65jI50uusGpa4vkEFrU9IHf3GO0dlnTCPUZt1TiIXKzG+Yxgmjh/IL9z8id3gEGlQ==
X-Received: by 2002:a1c:4c1a:: with SMTP id z26mr24343489wmf.2.1563198138072;
Mon, 15 Jul 2019 06:42:18 -0700 (PDT)
From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Date: Mon, 15 Jul 2019 14:42:06 +0100
Message-Id: <20190715134211.23063-6-peter.maydell@linaro.org>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190715134211.23063-1-peter.maydell@linaro.org>
References: <20190715134211.23063-1-peter.maydell@linaro.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
recognized.
X-Received-From: 2a00:1450:4864:20::336
Subject: [Qemu-devel] [PULL 05/10] hw/ssi/mss-spi: Avoid crash when reading
empty RX FIFO
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
From: Philippe Mathieu-Daud=C3=A9 <philmd@redhat.com>
Reading the RX_DATA register when the RX_FIFO is empty triggers
an abort. This can be easily reproduced:
$ qemu-system-arm -M emcraft-sf2 -monitor stdio -S
QEMU 4.0.50 monitor - type 'help' for more information
(qemu) x 0x40001010
Aborted (core dumped)
(gdb) bt
#1 0x00007f035874f895 in abort () at /lib64/libc.so.6
#2 0x00005628686591ff in fifo8_pop (fifo=3D0x56286a9a4c68) at util/fifo8=
.c:66
#3 0x00005628683e0b8e in fifo32_pop (fifo=3D0x56286a9a4c68) at include/q=
emu/fifo32.h:137
#4 0x00005628683e0efb in spi_read (opaque=3D0x56286a9a4850, addr=3D4, si=
ze=3D4) at hw/ssi/mss-spi.c:168
#5 0x0000562867f96801 in memory_region_read_accessor (mr=3D0x56286a9a4b6=
0, addr=3D16, value=3D0x7ffeecb0c5c8, size=3D4, shift=3D0, mask=3D429496729=
5, attrs=3D...) at memory.c:439
#6 0x0000562867f96cdb in access_with_adjusted_size (addr=3D16, value=3D0=
x7ffeecb0c5c8, size=3D4, access_size_min=3D1, access_size_max=3D4, access_f=
n=3D0x562867f967c3 <memory_region_read_accessor>, mr=3D0x56286a9a4b60, attr=
s=3D...) at memory.c:569
#7 0x0000562867f99940 in memory_region_dispatch_read1 (mr=3D0x56286a9a4b=
60, addr=3D16, pval=3D0x7ffeecb0c5c8, size=3D4, attrs=3D...) at memory.c:14=
20
#8 0x0000562867f99a08 in memory_region_dispatch_read (mr=3D0x56286a9a4b6=
0, addr=3D16, pval=3D0x7ffeecb0c5c8, size=3D4, attrs=3D...) at memory.c:1447
#9 0x0000562867f38721 in flatview_read_continue (fv=3D0x56286aec6360, ad=
dr=3D1073745936, attrs=3D..., buf=3D0x7ffeecb0c7c0 "\340=C7=B0\354\376\177"=
, len=3D4, addr1=3D16, l=3D4, mr=3D0x56286a9a4b60) at exec.c:3385
#10 0x0000562867f38874 in flatview_read (fv=3D0x56286aec6360, addr=3D1073=
745936, attrs=3D..., buf=3D0x7ffeecb0c7c0 "\340=C7=B0\354\376\177", len=3D4=
) at exec.c:3423
#11 0x0000562867f388ea in address_space_read_full (as=3D0x56286aa3e890, a=
ddr=3D1073745936, attrs=3D..., buf=3D0x7ffeecb0c7c0 "\340=C7=B0\354\376\177=
", len=3D4) at exec.c:3436
#12 0x0000562867f389c5 in address_space_rw (as=3D0x56286aa3e890, addr=3D1=
073745936, attrs=3D..., buf=3D0x7ffeecb0c7c0 "\340=C7=B0\354\376\177", len=
=3D4, is_write=3Dfalse) at exec.c:3466
#13 0x0000562867f3bdd7 in cpu_memory_rw_debug (cpu=3D0x56286aa19d00, addr=
=3D1073745936, buf=3D0x7ffeecb0c7c0 "\340=C7=B0\354\376\177", len=3D4, is_w=
rite=3D0) at exec.c:3976
#14 0x000056286811ed51 in memory_dump (mon=3D0x56286a8c32d0, count=3D1, f=
ormat=3D120, wsize=3D4, addr=3D1073745936, is_physical=3D0) at monitor/misc=
.c:730
#15 0x000056286811eff1 in hmp_memory_dump (mon=3D0x56286a8c32d0, qdict=3D=
0x56286b15c400) at monitor/misc.c:785
#16 0x00005628684740ee in handle_hmp_command (mon=3D0x56286a8c32d0, cmdli=
ne=3D0x56286a8caeb2 "0x40001010") at monitor/hmp.c:1082
From the datasheet "Actel SmartFusion Microcontroller Subsystem
User's Guide" Rev.1, Table 13-3 "SPI Register Summary", this
register has a reset value of 0.
Check the FIFO is not empty before accessing it, else log an
error message.
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20190709113715.7761-3-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/ssi/mss-spi.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/hw/ssi/mss-spi.c b/hw/ssi/mss-spi.c
index 918b1f3e821..4c9da5d2b28 100644
--- a/hw/ssi/mss-spi.c
+++ b/hw/ssi/mss-spi.c
@@ -165,7 +165,13 @@ spi_read(void *opaque, hwaddr addr, unsigned int size)
case R_SPI_RX:
s->regs[R_SPI_STATUS] &=3D ~S_RXFIFOFUL;
s->regs[R_SPI_STATUS] &=3D ~S_RXCHOVRF;
- ret =3D fifo32_pop(&s->rx_fifo);
+ if (fifo32_is_empty(&s->rx_fifo)) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: Reading empty RX_FIFO\n",
+ __func__);
+ } else {
+ ret =3D fifo32_pop(&s->rx_fifo);
+ }
if (fifo32_is_empty(&s->rx_fifo)) {
s->regs[R_SPI_STATUS] |=3D S_RXFIFOEMP;
}
--=20
2.20.1